Hi all,
this is my first post, i hope the question could be interesting just as much for me as it is for you and that it's not too dumb.

I get to the point:

implementing an evil-twin attack, in a wpa2-enterprise network, in which my notebook is the authenticator and the authentication server (the AP and the radius server) and where the MSCHAPv2 protocol is used as inner authentication method, I can retrieve an NTLMv1 Hash, an MD4, as suggested in these posts, and as the example picture shows:

[Image: 6gxgC.jpg]

(i'm using hostapd-wpe in a TESTING environment)

But, reading the details about the MSCHAPv2 protocol, I cannot explain me how it's possible that I can retrieve this (NTLM) hash; especially, if the protocol uses the NTLM hash, just as a key, to encrypt the challenge hash and do not explicitly send it, to the radius server.

From RFC 2759 - "Microsoft PPP CHAP Extensions, Version 2"  I found:

Quote:Response Packet

The MS-CHAP-V2 Response packet is identical in format to the standard CHAP Response packet.  However, the Value field is sub-formatted differently as follows:

   16 octets: Peer-Challenge
    8 octets: Reserved, must be zero
   24 octets: NT-Response
    1 octet : Flags

The NT-Response field is an encoded function of the password, the user name, the contents of the Peer-Challenge field and the received challenge as output by the routine GenerateNTResponse()

Quote:8.1.  GenerateNTResponse()

   IN  16-octet              AuthenticatorChallenge,
   IN  16-octet              PeerChallenge,
   IN  0-to-256-char         UserName,
   IN  0-to-256-unicode-char Password,
   OUT 24-octet              Response )
      8-octet  Challenge
      16-octet PasswordHash

      ChallengeHash( PeerChallenge, AuthenticatorChallenge, UserName,
                     giving Challenge)

      NtPasswordHash( Password, giving PasswordHash )
      ChallengeResponse( Challenge, PasswordHash, giving Response )

Quote:8.5. ChallengeResponse(
   IN  8-octet  Challenge,
   IN  16-octet PasswordHash,
   OUT 24-octet Response )
      Set ZPasswordHash to PasswordHash zero-padded to 21 octets

      DesEncrypt( Challenge,
                  1st 7-octets of ZPasswordHash,
                  giving 1st 8-octets of Response )

      DesEncrypt( Challenge,
                  2nd 7-octets of ZPasswordHash,
                  giving 2nd 8-octets of Response )

      DesEncrypt( Challenge,
                  3rd 7-octets of ZPasswordHash,
                  giving 3rd 8-octets of Response )

How it's possible that i can retrieve the PasswordHash, instead of trying to obatin it trough the des-encrypted string?

Thank you for all your help
if you look at the 5500 (netntlmv1) kernel you can see that it does involve DES encryption:

however, here is a post about recovering the ntlm hash from the netntlmv1 hash:
(04-11-2018, 10:46 PM)undeath Wrote: however, here is a post about recovering the ntlm hash from the netntlmv1 hash:

Ok now it's more clear  Smile thanks a lot Smile

In particular I would point out the link reported from the author of the post, that definitively solved my doubts: